IN THE CLAIMS 



1. (currently amended) In a distributed network having a number of server 

computers and associated client devices, a network virus defense system, comprising: 

a network virus/worm sensor operable in a number of modes arranged to detect a 
computer virus or a computer worm in the network such that the bandwidth of the network is 
substantially unaffected in a first mode in that data packets are not removed from or added to 
network traffic, but are copied, and wherein when the virus sensor detects the computer virus, the 
virus sensor switches to a second mode, wherein the data packets are not copied and wherein a 
subset of data packets determined to be infected or suspected of being infected are not returned 
to the network; 

a network virus sensor self registration module coupled to the network virus/worm sensor 
arranged to automatically self register the associated network virus/worm sensory 

a controller storing a rules engine used to store and source a plurality of detection rules 
for detecting computer viruses and worms and using statistical results of observed abnormal 
events as recorded and monitored by a virus monitor, the abnormal events defined in 
policies and the plurality of detection rules in the virus monitor, and wherein the virus 
monitor generates an abnormal behavior report which is evaluated by a server which 
determines an action to perform ; 

a server for virus cleaning agents from known viruses and unknown viruses 
subsequently analyzed; and 

an anti-virus agent creation module arranged to create an anti-virus agent or create a 
detection module, an infection module and a payload. 
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2. (original) A system as recited in claim 1, wherein during an initialization 
phase of the network virus/worm sensor, the network virus/worm self registration module 
collects selected network environmental information and network configuration information. 

3. (previously presented) A system as recited in claim 2, wherein when the 
distributed network is an IP based type network, the selected network environmental information 
includes an IP address for all of the relevant client devices included in the IP-based type 
network. 

4. (original) A system s recited in claim 3, wherein the network configuration 
information includes self configuration information related to an appropriate IP address for the 
network virus/worm sensor. 

5. (original) A system as recited in claim 4, wherein the network configuration 
information includes locations of all relevant server computers. 

6. (original) A system as recited in claim 5, wherein selected ones of the 
relevant server computers are identified as controllers. 

7. (original) A system as recited in claim 6, wherein each of the identified 
controllers includes a rules engine used to store and source a plurality of detection rules for 
detecting computer viruses and worms and an outbreak prevention policy (OPP) distribution and 
execution engine that provides a set of anti- virus policies, protocols, and procedures suitable for 
use by a system administrator for both preventing viral outbreaks and repairing any subsequent 
damage caused by a viral outbreak. 
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8. (original) A system as recited in claim 7, wherein during the initialization 
phase, each of the rules engines associated with each of the identified controllers are updated 
with a set of detection rules for detecting computer viruses and worms. 

9. (original) A system as recited in claim 7, wherein during the initialization 
phase, each of the outbreak prevention policy distribution and execution engines associated with 
each of the identified controllers are updated with a set of anti- virus policies, a set of anti- virus 
protocols, and a set of anti- virus procedures. 

10. (previously presented) A system as recited in claim 1, wherein in a first 
mode the bandwidth of the network is substantially unaffected by the network virus/monitor 
sensor, the network virus/monitor sensor not removing or adding network traffic but copying 
data packets, and wherein when the network virus/worm sensor detects a computer virus or a 
computer worm, the virus/worm sensor switches to a second mode such that only those data 
packets infected by the computer virus are not returned to the network. 
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1 1 . (currently amended) In a distributed network having a number of server 
computers and associated client devices and a network virus/worm monitor sensor operable in a 
number of modes, a method of self registering a network virus defense system comprising: 

detecting a computer virus or a computer worm in the network such that bandwidth of the 
network is substantially unaffected in a first mode in that data packets are not removed from or 
added to network traffic, but are copied, and wherein when the virus sensor detects the computer 
virus, the virus sensor switches to a second mode, wherein the data packets are not copied and 
wherein a subset of data packets determined to be infected or suspected of being infected are not 
returned to the network[:] ^ 

automatically self registering the network/virus worm sensor -by using a network virus 

sensor self registration module coupled to the sensor; 

storing a rules engine used to store and source a plurality of detection rules from for 
detecting computer viruses and worms and using statistical results of observed abnormal events 
as recorded and monitored by a virus monitor, the abnormal events defined in policies and 
the plurality of detection rules in the virus monitor, and wherein the virus monitor 
generates an abnormal behavior report which is evaluated by a server which determines an 
action to perform; 

providing virus cleaning agents from known viruses and unknown viruses subsequently 
analyzed; and 

creating a detection module that detects whether a client device is infected with a virus 
and triggers the introduction of an anti- virus infection module so that the virus in the client 
device is overwritten and an anti- virus agent payload is created based on features of the selected 
computer virus and which performs as a cleaning/repairing payload capable of cleaning and 
repairing damage done to the client device. 

12. (previously presented) A method as recited in claim 11, further 
comprising: 
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during an initialization phase of the network virus/worm sensor, collecting selected 
network environmental information and network configuration information by the network 
virus/worm self registration module. 

13. (previously presented) A method as recited in claim 12, wherein when the 
distributed network is an IP based type network, the selected network environmental information 
includes an IP address for all of the relevant client devices included in the IP-based type 
network. 

14. (original) A method as recited in claim 13, wherein the network 
configuration information includes self configuration information related to an appropriate IP 
address for the network virus/worm sensor. 

15. (original) A method as recited in claim 14, wherein the network 
configuration information includes locations of all relevant server computers. 

16. (original) A method as recited in claim 15, wherein selected ones of the 
relevant server computers are identified as controllers. 

17. (previously presented) A method as recited in claim 16, wherein each of 
the identified controllers includes a rules engine used to store and source a plurality of detection 
rules for detecting computer viruses and worms and an outbreak prevention policy (OPP) 
distribution and execution engine that provides a set of anti-virus policies, protocols, and 
procedures suitable for use by a system administrator for both preventing viral outbreaks and 
repairing any subsequent damage caused by a viral outbreak. 
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18. (original) A method as recited in claim 17, further comprising: 
during the initialization phase, 

updating each of the rules engines associated with each of the identified controllers with a 
set of detection rules for detecting computer viruses and worms. 

19. (original) A method as recited in claim 17, further comprising: 
during the initialization phase, 

updating each of the outbreak prevention policy distribution and execution engines 
associated with each of the identified controllers with a set of anti- virus policies, a set of anti- 
virus protocols, and a set of anti-virus procedures. 

20. (previously presented) A method as recited in claim 1© 11^ wherein in a 
first mode the bandwidth of the network is substantially unaffected by the network virus/monitor 
sensor, the network virus/monitor sensor not removing or adding network traffic but copying 
data packets, and wherein when the network virus/worm sensor detects a computer virus or a 
computer worm, the virus/worm sensor switches to a second mode such that only those data 
packets infected by the computer virus are not returned to the network. 
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21. (currently amended) In a distributed network having a number of server 

computers and associated client devices, computer program product for self registering a 
network virus defense system, that includes a network virus/worm sensor operable in a number 
of modes arranged to detect a computer virus or a computer worm in the network, comprising: 

computer code for automatically self registering the associated network virus/worm 
sensor by a network virus sensor self registration module coupled to the network 
virus/worm sensor; 

detecting a computer virus or a computer worm in the network such that bandwidth 
of the network is substantially unaffected in a first mode in that data packets are not 
removed from or added to network traffic, but are copied, and wherein when the virus 
sensor detects the computer virus, the virus sensor switches to a second mode, wherein the 
data packets are not copied and wherein a subset of data packets determined to be infected 
or suspected of being infected are not returned to the networkU; 

automatically self registering the sensor by a network virus sensor self registration 
module coupled to the sensor; 

storing a rules engine used to store and source a plurality of detection rules from 
detecting computer viruses and worms and using statistical results of observed abnormal 
events as recorded and monitored by a virus monitor, the abnormal events defined in 
policies and the plurality of detection rules in the virus monitor, and wherein the virus 
monitor generates an abnormal behavior report which is evaluated by a server which 
determines an action to perform; 

providing virus cleaning agents from known viruses and unknown viruses 
subsequently analyzed; and 

creating a detection module that detects whether a client device is infected with a 
virus and triggers the introduction of an anti-virus infection module so that the virus in the 
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client device is overwritten and an anti- virus agent payload created based on features of the 
selected computer virus and performs as a cleaning/repairing pay load capable of cleaning 
and repairing damage done to the client device; and 

computer readable medium for storing the computer code. 

22. (original) Computer program product as recited in claim 21, further 
comprising: 

computer code for collecting selected network environmental information and network 
configuration information by the network virus/worm self registration module during an 
initialization phase. 

23. (original) Computer program product as recited in claim 22, wherein when 
the network is an IP based type network, the selected network environmental information 
includes an IP address for all of the relevant client devices included in the network. 

24. (original) Computer program product as recited in claim 23, wherein the 
network configuration information includes self configuration information related to an 
appropriate IP address for the network virus/worm sensor. 

25. (original) Computer program product as recited in claim 24, wherein the 
network configuration information includes locations of all relevant server computers. 

26. (original) Computer program product as recited in claim 25, wherein selected 
ones of the relevant server computers are identified as controllers. 
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27. (original) Computer program product as recited in claim 26, wherein each of 
the identified controllers includes a rules engine used to store and source a plurality of detection 
rules for detecting computer viruses and worms and an outbreak prevention policy (OPP) 
distribution and execution engine that provides a set of anti- virus policies, protocols, and 
procedures suitable for use by a system administrator for both preventing viral outbreaks and 
repairing any subsequent damage caused by a viral outbreak. 

28. (original) Computer program product as recited in claim 27, further 
comprising: 

during the initialization phase, 

updating each of the rules engines associated with each of the identified controllers with a 
set of detection rules for detecting computer viruses and worms. 

29. (original) Computer program product as recited in claim 27, further 
comprising: 

computer code for updating each of the outbreak prevention policy distribution and 
execution engines associated with each of the identified controllers with a set of anti-virus 
policies, a set of anti- virus protocols, and a set of anti- virus procedures during the initialization 
phase. 

30. (previously presented) Computer program product as recited in claim 21, 
wherein in a first mode the bandwidth of the network is substantially unaffected by the network 
virus/monitor sensor, the network virus/monitor sensor not removing or adding network traffic 
but copying data packets, and wherein when the network virus/worm sensor detects a computer 
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virus or a computer worm, the virus/worm sensor switches to a second mode such that only those 
data packets infected by the computer virus are not returned to the network. 
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